Révision 2da48592
Ajouté par jim-p il y a presque 10 ans
etc/inc/openvpn.inc | ||
---|---|---|
593 | 593 |
if (!isset($settings['cert_depth']) && (strstr($settings['mode'], 'tls'))) |
594 | 594 |
$settings['cert_depth'] = 1; |
595 | 595 |
if (is_numeric($settings['cert_depth'])) { |
596 |
$cert = lookup_cert($settings['certref']); |
|
597 |
/* XXX: Seems not used at all! */ |
|
598 |
$servercn = urlencode(cert_get_cn($cert['crt'])); |
|
599 |
$conf .= "tls-verify \"/usr/local/sbin/ovpn_auth_verify tls '{$servercn}' {$settings['cert_depth']}\"\n"; |
|
596 |
if (($mode == 'client') && empty($settings['certref'])) |
|
597 |
$cert = ""; |
|
598 |
else { |
|
599 |
$cert = lookup_cert($settings['certref']); |
|
600 |
/* XXX: Seems not used at all! */ |
|
601 |
$servercn = urlencode(cert_get_cn($cert['crt'])); |
|
602 |
$conf .= "tls-verify \"/usr/local/sbin/ovpn_auth_verify tls '{$servercn}' {$settings['cert_depth']}\"\n"; |
|
603 |
} |
|
600 | 604 |
} |
601 | 605 |
|
602 | 606 |
// The local port to listen on |
... | ... | |
723 | 727 |
case 'server_user': |
724 | 728 |
$ca = lookup_ca($settings['caref']); |
725 | 729 |
openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca"); |
726 |
$cert = lookup_cert($settings['certref']); |
|
727 |
openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert"); |
|
728 |
openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key"); |
|
730 |
|
|
731 |
if (!empty($settings['certref'])) { |
|
732 |
$cert = lookup_cert($settings['certref']); |
|
733 |
openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert"); |
|
734 |
openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key"); |
|
735 |
} |
|
729 | 736 |
if ($mode == 'server') |
730 | 737 |
$conf .= "dh {$g['etc_path']}/dh-parameters.{$settings['dh_length']}\n"; |
731 | 738 |
if (!empty($settings['crlref'])) { |
usr/local/www/vpn_openvpn_client.php | ||
---|---|---|
244 | 244 |
|
245 | 245 |
/* If we are not in shared key mode, then we need the CA/Cert. */ |
246 | 246 |
if ($pconfig['mode'] != "p2p_shared_key") { |
247 |
$reqdfields = explode(" ", "caref certref");
|
|
248 |
$reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate"));
|
|
247 |
$reqdfields = explode(" ", "caref"); |
|
248 |
$reqdfieldsn = array(gettext("Certificate Authority")); |
|
249 | 249 |
} elseif (!$pconfig['autokey_enable']) { |
250 | 250 |
/* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */ |
251 | 251 |
$reqdfields = array('shared_key'); |
... | ... | |
253 | 253 |
} |
254 | 254 |
|
255 | 255 |
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); |
256 |
|
|
256 |
|
|
257 |
if (($pconfig['mode'] != "p2p_shared_key") && empty($pconfig['certref']) && empty($pconfig['auth_user']) && empty($pconfig['auth_pass'])) { |
|
258 |
$input_errors[] = gettext("If no Client Certificate is selected, a username and password must be entered."); |
|
259 |
} |
|
260 |
|
|
257 | 261 |
if (!$input_errors) { |
258 | 262 |
|
259 | 263 |
$client = array(); |
... | ... | |
733 | 737 |
<tr id="tls_cert"> |
734 | 738 |
<td width="22%" valign="top" class="vncellreq"><?=gettext("Client Certificate"); ?></td> |
735 | 739 |
<td width="78%" class="vtable"> |
736 |
<?php if (count($a_cert)): ?> |
|
737 | 740 |
<select name='certref' class="formselect"> |
738 | 741 |
<?php |
739 | 742 |
foreach ($a_cert as $cert): |
... | ... | |
753 | 756 |
?> |
754 | 757 |
<option value="<?=$cert['refid'];?>" <?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> |
755 | 758 |
<?php endforeach; ?> |
759 |
<option value="" <?PHP if (empty($pconfig['certref'])) echo "selected=\"selected\""; ?>>None (Username and Password required)</option> |
|
756 | 760 |
</select> |
757 |
<?php else: ?>
|
|
758 |
<b>No Certificates defined.</b> <br />Create one under <a href="system_certmanager.php">System > Cert Manager</a>. |
|
761 |
<?php if (!count($a_cert)): ?>
|
|
762 |
<b>No Certificates defined.</b> <br />Create one under <a href="system_certmanager.php">System > Cert Manager</a> if one is required for this connection.
|
|
759 | 763 |
<?php endif; ?> |
760 | 764 |
</td> |
761 | 765 |
</tr> |
Formats disponibles : Unified diff
Allow the user to select "None" for OpenVPN client certificate, so long as they supply and auth user/pass. Ticket #3633